ASR 1000 System & Solution - clnv.s3.amazonaws.com · ESP t FECP QFP Crypto Assist. interconn. PPE...

ASR 1000 System & Solution Architectures

Jason Yang - CCIE #10467, Technical Marketing Engineer

BRKARC-2001

• Introducing the ASR 1000

• ASR 1000 System Architecture

• ASR 1000 Building Blocks

• ASR 1000 Software Architecture

• ASR 1000 Packet Flows

• Integrated Security on ASR 1000

• Applications & Solutions

Agenda

Introducing the ASR 1000

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

ASR 1000 Aggregation Service RouterKey Design Principles

Ethernet

WAN and Provider

Edge Services

Voice and

Video

Services

(CUBE)

Security Services

(Firewall, VPN,

Encryption)

Multi-Service, Secure WAN Aggregation

Services

Application

Performance

Optimization

(AVC, PfR)

Best in Class

Availability

Enterprise IOS Features

with Modular OS and

Software Redundancy or

Hardware Redundancy

and ISSU

Best in Class ASIC

Technology

Quantum Flow Processor

(QFP) for high scale services

and sophisticated QoS with

minimum performance impact


Cisco ASR 1000 Series Routers: Overview2.5 Gbps to 200Gbps – Designed today to scale up in the future

INSTANT ON

SERVICE DELIVERY BUSINESS-CRITICAL RESILIENCY

COMPACT,

POWERFUL ROUTER

• Scalable on-chip service enablement through software licensing

• Industry leading VPN/Crypto solutions

• Optimal user/app experience with AVC, PfRv3, and AppNav

• Software consumption model with CiscoONE

• Fully separated control and forwarding planes

• Hardware and software redundancy

• In-service software upgrades

• Inter and Intra-chassis redundancy

• DCI to support clustering across geographically dispersed DC

• Line-rate performance 2.5G to 200G

• Investment protection with modular engines, IOS CLI and SPAs for I/O

• Hardware assists for ACL, QoS, etc.

• Hardware-based QoS engine with up to 464k queues

• New Ethernet CC and 100GE EPA: ASR1000-MIP100, EPA-1x100GE

ASR 1004

ASR 1009-X

ASR 1001-HX

5 to 36

Gbps

10 to 40

Gbps

40 to 100

Gbps

40 to 200

Gbps

2.5 to 20

Gbps

ASR 1001-X

Fixed Chassis Modular ChassisIOS-XE

ASR 1013

40 to 200

Gbps

ASR 1006-X

ASR 1002-HX

44 to 100

Gbps

BRKARC-2001 6

ASR 1002-X

44 to 100

Gbps

20 to 100

Gbps

ASR 1006


ASR 1000 Positioning

Perf

orm

ance a

nd S

cala

bility

Service Provider Edge Routers

ISR Series

ASR1000

2.5-200Gbps perSystem

Distributed PE, Firewall, IPsec

Route Reflector

CUBE/VoIP

Broadband

7600 Series

Up to 2 Tbps per system

Carrier Ethernet

IP RAN

Mobile Gateways

SBC/VoIP

Video Monitoring

Enterprise Edge and Managed Services Routers

Managed L2/L3 VPNs

Integrated SecurityApplication Recognition

ISR4000 Series

1-2 Gbps per System

Separate Services Planes for Continuity

Pay-As-You-Grow

850 Mbps per System

350 Mbps with Services

BRKARC-2001 7

ASR 9000

Up to 48 Tbps per system

Carrier Ethernet

IP RAN

L2/L3 VPNs

Vidmon

BNG


ASR 1000 Enterprise ApplicationsFlexible WAN Services Edge & CPE

Mobile subscriber

Corporate office

High end branch

High Speed CPE

High-end Branch

Campus Edge

WAN aggregation

WAN Aggregation

IPSec VPN

L2 and L3 VPN

IWAN

DCI

Internet gateway

Cloud

Data Center Interconnect

Internet gateway

Cloud Services Edge

BRKARC-2001 8


ASR 1000 Service Provider ApplicationsA Wide Variety of Use Cases

CPE

Access and AggregationMobile Subscriber

Business

Residence

Wireless

Wire line

Cable

ISP

IP/MPLS Core

Edge

CGN

LNS

CPE

OLT

xPON

xDSLDSLAM

DOCSIS

ETTx

M-CMTS

PE

BNG

iWAG

VOD TV SIP

Content Farm

Peering

RR

L2/L3 VPNsIPsec/NAT/FWNBAR2

PPP or IP AggregationATM or EthernetIntelligent Services GatewayWiFi Access Gateway

BRKARC-2001 9

ASR 1000 System Architecture


Midplane

ASR 1000 Building BlocksE

SP

act

FECP

QFPCrypto

Assist.

interconn.

PPE BQS

FECP

Crypto

Assist.

interconnect

RP

act

CPU

interconn GE switchS

IP

SPA SPA

IOCPAGG

ASIC

interconnect

RP

stb

y

CPU

interconn. GE switch

ES

Pstb

y

FECP

QFPCrypto

Assist.

interconn.

PPE BQS

FECP

Crypto

Assist.

interconnect

ELC

Built-in GE/10GEs

IOCPAGG

ASIC

interconnect

MIP

EPA EPA

IOCPAGG

ASIC

interconnect

BRKARC-2001 11


Midplane


SP

act

FECP

QFPCrypto

Assist.

interconn.

PPE BQS

FECP

Crypto

Assist.

interconnect

RP

act

CPU


IP

SPA SPA

IOCPAGG

ASIC

interconnect

RP

stb

y

CPU


Embedded Service Processor

• Handles forwarding plane traffic

ES

Pstb

y

FECP

QFPCrypto

Assist.

interconn.

PPE BQS

FECP

Crypto

Assist.

interconnectRoute Processor

• Handle control plane

• Manages system

ELC

Built-in GE/10GEs

IOCPAGG

ASIC

interconnect

MIP

EPA EPA

IOCPAGG

ASIC

interconnect

SPA Interface Processor

• Houses Shared Port Adapter (SPA)

• Packets buffer

Ethernet Linecard

• Built-in GE/10GE ports

• Packets buffer

Modular Interface Processor

• Houses Ethernet Port Adapter (EPA)

• Packets buffer

BRKARC-2001 12


Midplane


SP

act

FECP

QFPCrypto

Assist.

interconn.

PPE BQS

FECP

Crypto

Assist.

interconnect

RP

act

CPU


IP

SPA SPA

IOCPAGG

ASIC

interconnect

RP

stb

y

CPU


Embedded Service Processor

• Handles forwarding plane traffic

ES

Pstb

y

FECP

QFPCrypto

Assist.

interconn.

PPE BQS

FECP

Crypto

Assist.

interconnectRoute Processor

• Handle control plane

• Manages system

ELC

Built-in GE/10GEs

IOCPAGG

ASIC

interconnect

MIP

EPA EPA

IOCPAGG

ASIC

interconnect

SPA Interface Processor

• Houses Shared Port Adapter (SPA)

• Packets buffer

• Centralized Forwarding Architecture • All traffic flows through the active ESP,

standby is synchronized with all the states

• Distributed Control Architecture• All major system components have a

powerful control processor dedicated for control and management planes

Ethernet Linecard

• Built-in GE/10GE ports

• Packets buffer

Modular Interface Processor

• Houses Ethernet Port Adapter (EPA)

• Packets buffer

BRKARC-2001 13

ASR 1000 Building Blocks:Modular Chassis


ASR 1000 Modular Chassis OverviewASR 1004 ASR 1006 ASR1006-X ASR 1009-X

AS

R 1

01

3

RP Slots 1 2 2 2 2

ESP Slots 1 2 2 2 (super) 2 (super)

SIP/MIP Slots 2 (SIP only) 3 (SIP only) 2 3 6

Built-In Ethernet N/A N/A N/A N/A N/A

Redundancy Software Hardware Hardware Hardware Hardware

Height 7” (4RU) 10.5” (6RU) 10.5” (6RU) 15.7” (9RU) 22.7” (13RU)

Bandwidth 10 – 40 Gbps 10 -100 Gbps 40 - 100 Gbps 40 - 200 Gbps 40 - 200 Gbps

Max Output Pwr 765W 1275W1100 power modules

N+1, Max 6

1100 power modules

N+1, Max 63200W

Airflow Front to back Front to back Front to back Front to back Front to back

BRKARC-2001 18


ASR 1009-X

BRKARC-2001 19

System Management

RJ45 Console

Auxiliary Port

2x USB Ports

I/O Connectivity

12x SPA slots (SIP-40)

3x ELC slots

6x EPA (MIP-100)

BITS clocking

Stratum 3 built-in

Power Supply

Modular power supply with N+1 redundancy

High efficiency, Load sharing, Hot-swappable

AC (1100W) or DC (950W)

Control Plane

Support RP2 and RP3

8 - 64 GB Memory

FIPS-140-2 certification

Hardware Redundancy

Dual ESP and RP slots for data plane and control plane redundancy

ISSU

Forwarding Plane (ESP)

Up to 200Gbps per system

Supports ESP40, ESP100, ESP200 and future ESPs

Modular Fan Tray

Field Replaceable

30% improvement in airflow per slots vs integrated Fan module


ASR 1000 Modular Chassis Compatibility Matrix

Chassis RP2 RP3 SIP40 ELC MIP100 ESP20 ESP40 ESP100 ESP200

ASR1004 Yes No Yes Yes No Yes Yes No No

ASR1006 Yes No Yes Yes No Yes Yes Yes No

ASR1013 Yes Yes Yes Yes Yes(2)(3) No Yes Yes Yes

ASR1006-X Yes(1) Yes Yes Yes Yes(3) No Yes Yes No

ASR1009-X Yes(1) Yes Yes Yes Yes(3) No Yes Yes Yes

*

(1)RP2 with new CPLD

(2)100G support in Slots 2&3; others at 40G

(3)ASR1000-MIP100 is not supported with ESP40

BRKARC-2001 20


ASR1000-MIP100 (Modular Interface Processor)

1x100G

100G

100G Line rate

No oversubscription

1x100G

2 to 1 oversubscription

1x100G

10x10G

Line rate

No oversubscription

Mid

pla

ne

ESP100/200

MIP100

1006-X/1009-X with

ESP100/ESP200

BRKARC-2001 21


MIP100 ArchitectureRPs

GE, 1Gbps

I2C

EPA Control

ESI, 110 Gbps

Hypertransport, 10Gbps

Other

2 EPAs 2 EPAs

Standby ESP

SPA Agg.

Interface

Aggregation ASIC

Ingress

Scheduler

Egress

Buffer

Status

Ingress

Classifier

Egress

buffers

IOCP

…

Ingress

buffers

…

InterconnectDDRAM

Boot Flash

JTAG Ctrl

EEPROM

Temp Sensor

Reset / Pwr Ctrl

RPs

Chassis

management

Active ESPInput ref clocks

Netw

ork

clo

cks

2 EPAs 2 EPAs

RPs

Network

clock

distribution

Output ref clocks

BRKARC-2001 22


Ethernet Port Adapter (EPA)

EPA Modular Chassis with

MIP-100

ASR1002-HX Optics Modules

EPA-1x100GE XE 3.16.1

XE 16.2.1

XE 16.4.1

EPA-CPAK-2x40GE XE 3.16.2

XE 16.3.1

XE 16.4.1

EPA-10x10GE XE 3.16.4

XE 16.2.1

XE 16.3.1 (MACSec)

XE 16.3.1

XE 16.3.2

(MACSec)

SFP-10G-SR, SFP-10G-SR-X, SFP-10G-LR, SFP-

10G-LRM, SFP-10G-LR-X, SFP-10G-ER

EPA-18x1GE XE 16.2.1

XE 16.3.2 (MACSec)

XE 16.2.1

XE 16.3.1

(MACSec)

GLC-GE-100FX, GLC-SX-MMD, GLC-LH-SMD,

SFP-GE-T, GLC-BX-U, GLC-BX-D, GLC-TE, GLC-

SX-MM, GLC-LH-SM, GLC-EX-SMD, GLC-ZX-

SMD, CWDM-SFP, DWDM-SFP

CAB-MPO24-2XMPO12CPAK-100G-SR10 QSFP-40G-SR4

10 Metres

CPAK-100G-SR10 CPAK-100G-LR4

BRKARC-2001 23


RP2 RP3

CPU 2.66GHz Intel Xeon Dual-core 2.2GHz Intel Broadwell Quad-core

Default memory 8GB (4x2GB) – DDR2 8GB (2x4GB) – DDR4

Memory upgrade options 16GB (4x4GB) 16GB (2x8GB), 32GB (4x8GB); 64GB (4x16GB)

Built-In eUSB Bootflash 2GB 8GB

Storage80GB HDD

external USB

100GB SSD default, 200GB and 400GB upgrade options

external USB

IOS XE OS 64 bits 64 bits

Chassis Support

ASR 1004

ASR 1006

ASR 1013

ASR 1006-X

ASR 1009-X

ASR 1006-X

ASR 1009-X

ASR 1013

Modular Route Processors: RP2 & RP3

BRKARC-2001 27


ASR 1000 RP3 ArchitectureHighly Scalable Control Plane Processor

ESPs

Output clocks

SIPs/MIPs

ESPs RP SIPs/MIPs

RPESPs SIPs/MIPs

SIPs/MIPs

Inputclocks

RP

CPU

2.2 GHz quad-core

I2C Chassis

Management Bus

Interconnect EOBC Switch

CPU Memory

8/16/32/64 GB

Management

EthernetUSBConsole

& Aux

NVRAM

Bootflash

Stratum-3 Network

clock circuit

BITS

(input & output)

RP

GE, 1Gbps

I2C

ESI, 11.2 Gbps

BRKARC-2001 28

SSD


ASR1000 Embedded Services Processor (ESP) Centralized, programmable, multiprocessor forwarding engine providing full-packet processing

Packet Buffering and Queuing/Scheduling (BQS)

For output traffic to carrier cards/SPAs/EPAs

For special features such as traffic shaping, reassembly,replication, punt to RP, cryptography, etc.

5 levels of HQoS scheduling, up to 464K Queues,Priority Propagation

Dedicated crypto co-processor

Interconnect providing data path links (ESI) to/fromother cards over midplane

Transports traffic into and out of the CiscoQuantum Flow Processor (QFP)

Input scheduler for allocating QFP BW among ESIs

FECP CPU manages QFP, crypto device, midplane links, etc.

ESP40

ESP100

BRKARC-2001 29


ESP Bandwidth

• Overall throughput is determined by the type of ESP and SIPs used in modular platforms.

• Modular platforms are rate limited by speed of bus from QFP complex to backplane ASIC

• Bandwidth is expressed in terms of aggregated throughput, use ESP100 as example:

50 Gbps 50 Gbps

50 Gbps50 Gbps

• 50G Unicast in each direction

• Total Output bandwidth 50+50=100

• 10G Multicast with 8X replication in one direction

• 20G unicast in the other direction

• Total Output bandwidth 80+20=100G

10G 80G

20G 20G

• 50Gbps Unicast in one direction and 70Gbps Unicast in the other direction

• Total output bandwidth (50+70=120) exceeds 100Gbps; only 100Gbps will be forwarded.

• 10Gbps Multicast with 10X replication in one direction• 10Gbps Unicast in the other direction• Total bandwidth (100+20=110) exceeds 100Gbps; only

100 Gbps will be forwarded

50 Gbps 50 Gbps 10G 100G

70 Gbps70 Gbps 20G20G

BRKARC-2001 27


ASR 1000 Forwarding ProcessorQuantum Flow Processor (QFP) Drives Integrated Services & Performance

QFP complex

Crypto

FECPGE, 1Gbps

I2C

ESI

Hypertransport, 10Gbps

Other

RPs RPs RPsESP SIPs

TCAMResource

DRAM

Packet Buffer

DRAM

Dispatcher Packet Buffer

Memory

…

Packet Processor Engines

PPE1 PPE2 PPE3 PPE4

PPE5 PPE6 PPE64

BQS

Chassis

Mgmt BusInterconnect

Bootflash

Memory

BRKARC-2001 31


ASR 1000 ESPs in Modular ChassisESP20 ESP40 ESP100 ESP200

System bandwidth (IMIX) 18 Gbps 41 Gbps 130 Gbps 227 Gpbs

Performance (IMIX) 6 Mpps 14 Mpps 45 Mpps 78 Mpps

QFP cores 40 40 128 256

Clock Rate 1.2 GHz 1.2 GHz 1.5 GHz 1.5 GHz

Suite B support No No Yes Yes

Crypto BW (IMIX/1400B) 4/6 Gbps 7/10 Gbps 15/27 Gbps 45/70 Gbps

QFP Resource Mem 1GB 1GB 4GB2 GB / QFP

8GB total

Packet Buffer 256MB 256MB 1GB 2GB

Control CPUSingle core

1.2 GHzDual core

1.8 GHzDual core1.73 GHz

Dual core1.73 GHz

Control Memory 4 GB 8 GB 16 GB 32 GB

TCAM 40 Mb 40 Mb 80 Mb 2 x 80 Mb

Chassis SupportASR1004 ASR1006

ASR1004 ASR1006 ASR1013

ASR1006-X ASR1009-X

ASR1006 ASR1013

ASR1006-X ASR1009-X

ASR1013 ASR1009-X

BRKARC-2001 32


Cisco Quantum Flow Processor (QFP)ASR1000 series innovation

• Five year design and continued evolution – now on 3rd generation

• Architected to scale to > 100Gbps

• Multiprocessor with 64 multi-threaded cores; 4 threads per core

• 256 processes per chip available to handle traffic

• High-priority traffic is prioritized

• Packet replication capabilities for Multicast

• Many H/W assists for accelerated processing

• 3rd generation QFP is capable for 70Gbps, 32Mpps processing

• Mesh-able: 1, 2 or 4 chips to build higher capacity ESPs

• Latency: tens of microseconds with features enabled

Cisco QFP

Packet Processor

Cisco QFP Traffic Manager

(Buffering, Queueing, Scheduling)

QFP Chip Set

BRKARC-2001 35


Cisco Enterprise Routing NPU LeadershipContinuing Investment in Network Processor Technology

Increasing network intelligent and services requirements

Over 100

Patents

Awarded!

1st Gen QFP

20G

2nd Gen QFP

40G

3rd Gen QFP

200GLower Cost fully

integrated NPU

and IO device

4th Gen QFP

> 200G

linerate security

and high perf

intelligent WAN

Pe

rfo

rma

nce

20122008 2018

#cores: Number of Packet Processing Engines

#threads: concurrent, parallel threads processed

High Speed Backplane Aggregation ASIC

IO Oversubscription & Aggregation ASIC

NPU

BRKARC-2001 36

ASR 1000 Fixed Platforms


ASR 1001-X ASR 1002-X ASR 1001-HX ASR 1002-HX

SPA Slots 1 3 N/A N/A

EPA Slots N/A N/A N/A 1

NIM Slots 1 N/A N/A 1

Built-In GE 6 6 8 8

Built-In TenGE 2 N/A 4 + 4 (configurable 10GE/GE) 8

CPU 2.0GHz quad-core 2.13GHz quad-core 2.5GHz quad-core 2.5GHz quad-core

Memory8GB; upgradable to

16GB

4GB; upgradable to

8GB/16GB8GB; upgradable to 16GB

16GB; upgradable to

32GB

StorageeUSB(8GB)

SSD (200GB, 400GB)

eUSB(8GB)

Optional HDD (160GB)eUSB(32GB)

eUSB(32GB)

SSD (200GB, 400GB)

IOS Redundancy Software Software Software Software

Height 1.75” (1RU) 3.5” (2RU) 1.75” (1RU) 3.5” (2RU)

Throughput 2.5 to 20Gbps 5 to 36Gbps 60Gbps 100Gbps

Maximum Output Power 250W 470W 360W 500W

Airflow Front to back Front to back Front to back Front to back

ASR 1000 Fixed Chassis Overview

BRKARC-2001 38


Multi-Core Network Processor

60Gbps forwarding capacity

62 Cores

4 HW Threads / Core

248 simultaneous threads

Miscellaneous

RJ45 & mini-USB console

Secure Boot

ASR 1001-HX

Built in I/O

8x Gigabit Ethernet interfaces

8x TenGigabit Ethernet interfaces (4 configurable 10G/1G ports)

Multipoint MACSEC for linerate encryption (1G & 10G)

Pay as you go

License on built-in ports

4x TenGE+ 4xGE enabled by default

The remaining ports can be enabled in pairs

Control plane

CPU: Quad Core @ 2.5 GHz

Memory: 8GB DDR3 default memory, upgradeable to 16GB

Secure Boot + Image Signing

Crypto module

Field upgradeable

16 Gbps crypto throughput

Suite B support

BRKARC-2001 39


• ASR 1001-HX can be ordered with or without the crypto module

• Crypto module can be installed in the field unit when it need the function

• Crypto bandwidth licensed from factory (default 8Gbps, upgradeable to 16Gbps on demand)

• 16Gbps crypto license unlocks crypto performance cap of 29Gbps (1400bytes)

ASR 1001-HX Crypto Module

BRKARC-2001 40


Multi-Core Network Processor

100 Gbps forwarding capacity

124 Cores

4 HW Threads / Core

496 simultaneous threads

Miscellaneous

RJ45 & mini-USB console

eUSB: 32GB

Secure Boot

ASR 1002-HX

Network Interface Module

1 double wide or 1 single wide NIM

Ethernet Port Adapter

1x EPA slotBuilt in I/O

8x Gigabit Ethernet interfaces

8x TenGigabit Ethernet interfaces

Multipoint MACSEC for linerate encryption (1G & 10G)

Pay as you grow

License on built-in ports

4x TenGE+ 4xGE enabled by default

The remaining ports can be enabled in pairs

Power Supply & Fans

Modular PS, FRUable

Fan Tray

Crypto module

Field upgradeable

25 Gbps crypto throughput

Suite B support

Control plane

CPU: Quad Core @ 2.5 GHz

Memory: 16GB DDR3default memory,upgradeable to 32GB

Secure Boot + Image Signing

BRKARC-2001 41


• ASR 1002-HX can be ordered with or without the crypto hardware

• Crypto module can be installed in the field unit when it need the function

• Crypto bandwidth licensed from factory (default 8Gbps, upgradeable to 16Gbps and 25Gbps on demand)

• 25Gbps crypto license unlocks crypto performance cap of 39Gbps (1400bytes)

• ASR 1002-HX must be powered down to install/remove crypto module

ASR 1002-HX Crypto Module

BRKARC-2001 42


ASR 1002-HX Architecture

CPU

2.5 GHz Quad-core I2C Chassis

Management Bus

CPU Memory

Management

EthernetUSB

Console

& Aux NVRAM

Boot Flash

QFP1

TCAM

(80Mbit)

BQS

PPEs

PPE1 PPE2 PPE3

PPE4 PPE62

Crypto

8xGE8x10

GEEPANIM

Dispatcher

Pkt Buffer

QFP2

BQS

PPEs

PPE1 PPE2 PPE3

PPE4 PPE62

Dispatcher

Pkt Buffer

Interconnect

Interface Aggregation ASIC

75Gbps75Gbps

150Gbps

Resource

DRAM

(2GB)

Pkts Buffer

DRAM

(512MB)

Resource

DRAM

(2GB)

Pkts Buffer

DRAM

(512MB)

80Gbps 8Gbps11Gbps 120Gbps

75Gbps Memory

(4GB)

I2C

Serdes Interface

Hypertransport

BRKARC-2001 43


ASR 1000 QFP in the Fixed Chassis

ASR 1001-X ASR 1002-X ASR 1001-HX ASR 1002-HX

System throughput (IMIX)

2.5 - 20Gbps 5 - 36Gbps 60Gbps 100Gbps

Performance

(64Bytes)19Mpps 34Mpps 43Mpps 78Mpps

QFP cores 31 62 62 124

Clock Rate 1.5 GHz 1.2 GHz 1.5 GHz 1.5 GHz

QFP Resource Mem 4GB (unified)

256MB

1GB 4GB 4GB

Packet Buffer 512MB 512MB 1GB

TCAM 10 Mb 40 Mb 40Mb 80 Mb

BRKARC-2001 46

Software Architecture


• IOS XE = IOS + IOS XE Middleware + Platform Software

• Operational Consistency—same look and feel as IOS Router

• IOS runs as its own Linux process for control plane (Routing, SNMP, CLI etc.) 64-bit operation

• Linux kernel with multiple processes running in protected memory

• Fault containment

• Re-startability

• ISSU of individual SW packages

• ASR 1000 HA Innovations

• Zero packet loss with RP Failover

• <50ms ESP Failover

• Software redundancy

IOS XE Software architecture

ES

P

RP

IOS

active

Platform Adaptation Layer

(PAL)

Forwarding

manager SIP

/MIP

IOS

standby

Chassis

manager

Linux Kernel

Forwarding

managerChassis

manager

Linux Kernel

QFP client

QFP driver

Linux Kernel

Chassis

manager

SPA driverSPA driverSPA/EPA

driver

Control

messaging

BRKARC-2001 49


Software Architecture – Modular Platform

ES

P

RP

IOS


(PAL)

Forwarding

manager SIP

/MIP

Chassis

manager

Linux Kernel

Forwarding

managerChassis

manager

Linux Kernel

QFP client / driver

QFP code

Linux Kernel

Chassis

manager


driver

Control

messaging

• Initialization of RP processes

• Initialization of installed cards

• Detects and manages OIR of cards

• Manages system status,

environments, power, EOBC

• Provides abstraction layer between

hardware & IOS

• Manages ESP redundancy

• Maintains copy of FIB and interface list

• Communicates FIB status to active &

standby ESP

• Runs Control Plane

• Generates configurations

• Maintains routing tables (RIB, FIB…)

• Communicates with forwarding

manager on RP

• Maintains copy of FIBs

• Provides interface to QFP client &

driver

• Programs QFP forwarding plane and

QFP DRAM

• Statistics collection & RP

communication

• Driver Software for SPA/EPA

interface

cards is loaded independently

• Failure or upgrade of driver

does not affect other

SPAs/EPAs in the chassis

BRKARC-2001 50


• Single Control CPU

• Quad-core

• 64 bit OS

• 8GB, 16GB, 32GB memory support

• Standard IOS XE Processes

• Running over a single Linux kernel

• High Availability

• IOS redundancy

• Fault Containment

• Process Restartability

• Operational Consistency

• Same look and feel as standard IOS

• Ethernet Out of Band Channel

• Method by which processes in different subsystems communicate

Software Architecture – Fixed Platform

Chassis Mgr.

Forwarding Mgr.IOSact

RP Subsystem

Kern

el (incl. u

tilit

ies)

Interface Mgr.

Chassis Mgr.

SPA driver

I/O Subsystem

Chassis Mgr.

Forwarding Mgr.QFP Client / Driver

ESP Subsystem

ASR1001-X Control Plane CPU

SPA driver SPA/EPA

driver

BRKARC-2001 51

IOSstby


ES

P

RP

IOS

active


(PAL)

Forwarding

manager SIP

/MIP

IOS

standby

Chassis

manager

Linux Kernel

Forwarding

managerChassis

manager

Linux Kernel

QFP client

QFP driver

Linux Kernel

Chassis

manager


driver

Control

messaging

1. RPBase: RP Linux operating system

Upgrading of the OS will require reload to the RP and expect minimal changes

2. RPIOS: IOS executable

facilitates Software Redundancy feature

3. RPAccess (K9 & non-K9): Software required for Router access

Two versions available (with and without open SSH & SSL)

facilitates software packaging for export-restricted countries

4. RPControl : control plane processes for IOS / hardware interface

IOS XE Middleware

5. ESPBase: All ESP code

Any software upgrade of the ESP requires reload of the ESP

6. SIP/MIPBase: SIP/MIP OS & control processes

OS upgrade requires reload of the SIP/MIP

7. SIPSPA/MIPEPA: Intfs drivers and FPD

Facilitates SPA/EPA driver upgrade of specific SPA/EPA slots

Software Sub-packages

1

3

2

4

5

6

7

BRKARC-2001 52


IOS XE Release and support timelines

FCS EoVS

PSIRT Phase

EoSMEoSales

Standard releases – twice a year (March, November) supported for 18 months

• 6 months of active bug-fix, 6 months of limited bug fix, and 6 months of PSIRT

• Rebuild Intervals: 3 + 3 + 6 + 6 (PSIRT build as needed)

3 months 6 months 6 months3 months.1S .2S .3S

Optional PSIRT build

.4S

FCS EoVS

Extended releases - Once a year (July) supported for 48 months

• 30 months of active bug-fix, 6 months of limited bug fix, and 12 months of PSIRT

• Rebuild Intervals: 3 + 3 + 4 + 4 + 4 + 6 + 6 + 6 + 6 + 6 (PSIRT builds as needed)

EoSMEoSalesEoSales

Notification

HPC

3 m 3 m 4 m 4 m 4 m 6 m 6 m 6 m 6 m 6 m

Optional PSIRT builds

.1S .2S .3S .4S .5S .6S .7S .8S .9S .10S

BRKARC-2001 53


IOS XE 16

• Upgrade Impact on ASR 1000

Same IOS XE software infrastructure, feature, functionality, behavior and user experience (i.e. CLI, MIBs…)

Few HWs are not supported

ISSU incompatible, require ROMmon upgrade and reload.

Feature Parity between XE3.17 and XE16.3.1

• Release Numbering

16.3.1 Denali

Major Release Number

Feature Release Number

Build Number

Feature Release Name

Open & ExtensiblePlatform

App Hosting

Faster Innovation

Automate and Orchestrate

Model Driven

API’s

Reduce OPEX

Consistent Customer Experience

Patching

Device Management

Troubleshooting

Lower Cost

Physical and Virtual Infrastructure

Any Platform Any ASIC

BRKARC-2001 54


What to expect – HW (1)

Supported Unsupported

Platforms ASR1001-X, ASR1002-X

ASR1001-HX, ASR1002-HX

ASR1004, ASR1006

ASR1013

ASR1006-X, ASR1009-X

ASR1001

ASR1002

Route Processors (RP) ASR1000-RP2, ASR1000-RP3 ASR1000-RP1

Forwarding Processors (ESP) ASR1000-ESP20

ASR1000-ESP40

ASR1000-ESP100

ASR1000-ESP200

ASR1000-ESP5

ASR1000-ESP10

Line cards ASR1000-SIP40

ASR1000-2T+20X1GE

ASR1000-6TGE

ASR1000-MIP100

ASR1000-SIP10

BRKARC-2001 55


What to expect – HW (2)

Supported Unsupported

Ethernet Port

Adapters (EPA)

EPA-1X100GE

EPA-2x40GE

EPA-10X10GE

EPA-18X1GE

N/A

Shared Port

Adapters (SPA)

SPA-8XCHT1/E1-V2, SPA-4XCT3/DS0-V2, SPA-2XCT3/DS0-V2, SPA-2XT3/E3-V2,

SPA-4XT3/E3-V2, SPA-8XT3/E3, SPA-1CHSTM1/OC3V2, SPA-1XCHOC12/DS0, SPA-

4XT-SERIAL

SPA-4X1FE-TX-V2, SPA-8X1FE-TX-V2, SPA-2X1GE-V2, SPA-5X1GE-V2, SPA-8X1GE-

V2, SPA-10X1GE-V2, SPA-1X10GE-L-V2, SPA-1X10GE-WL-V2

SPA-2XOC3-POS-V2, SPA-4XOC3-POS-V2, SPA-8XOC3-POS, SPA-1XOC12-POS-V2,

SPA-2XOC12-POS, SPA-4XOC12-POS, SPA-8XOC12-POS, SPA-1XOC48POS/RPR,

SPA-2XOC48POS/RPR, SPA-4XOC48POS/RPR, SPA-OC192POS-XFP

SPA-1XOC3-ATM-V2, SPA-3XOC3-ATM-V2, SPA-1XOC12-ATM-V2

SPA-DSP

SPA-1CHOC3-CE-ATM, SPA-2CHT3-CE-ATM, SPA-24CHT1-CE-ATM

SPA-8XCHT1/E1,

SPA-4XCT3/DS0,

SPA-2XCT3/DS0,

SPA-2XT3/E3, SPA-

4XT3/E3, SPA-

1XCHSTM1/OC3

SPA-2XOC3-POS,

SPA-4XOC3-POS,

SPA-1XOC12-POS

SPA-2X1GE-SYNCE

SPA-WMA-K9

Network

Interface Module

(NIM)

NIM-1MFT-T1/E1, NIM-2MFT-T1/E1, NIM-4MFT-T1/E1, NIM-8MFT-T1/E1, NIM-

1CE1T1-PRI, NIM-2CE1T1-PRI, NIM-8CE1T1-PRI, NIM-SSD, SSD-SATA-200G, SSD-

SATA-400G

N/A

BRKARC-2001 56


What to expect – Mimimum ROMmon

BRKARC-2001 57

IOS XE Denali

Release

RP2 RP3 ESP20 ESP40 ESP100 ESP200

16.3.1 15.2(1r)S 16.3(2r) XNC 15.0(1r)S 15.3(1r)S 15.3(1r)S

IOS XE Denali

Release

ASR1001-X ASR1002-X ASR1001-HX ASR1002-HX

16.3.1 15.4(2r)S 15.5(3r)S1 16.2(2r) 16.2(2r)

IOS XE Denali

Release

SIP40 MIP100 2T+20x1GE 6TGE

16.3.1 15.0(1r)S 15.5(3r)S1 15.5(3r)S1 15.4(2r)S

• For RP and ESP

• For Fixed Chassis

• For SIP/MIP/ELC


What to expect – image type

XE 3.x XE 16.x

ASR1001-X

ASR1002-X

Universal Image Universal Image

- All the licenses will continue to work as is

- No config changes are needed besides the boot image

RP2 based platforms Reformation Image Universal Image + License boot level

IP BASE W/O CRYPTO asr1000rp2-ipbase.* asr1000rpx86-universalk9.* ipbase

IP Base asr1000rp2-ipbasek9.* asr1000rpx86-universalk9_npe.* ipbase

ADVANCED ENTERPRISE

SERVICES W/O LI

asr1000rp2-adventerprisek9_noli.* asr1000rpx86-universalk9_noli.* adventerprise

ADVANCED ENTERPRISE W/O

CRYPTO

asr1000rp2-adventerprise.* asr1000rpx86-universalk9_npe.* adventerprise

ADVANCED ENTERPRISE

SERVICES

asr1000rp2-adventerprisek9.* asr1000rpx86-universalk9.* adventerprise

ADVANCED IP SERVICES W/O LI asr1000rp2-advipservicesk9_noli.* asr1000rpx86-universalk9_noli.* advipservices

ADVANCED IP SERVICES W/O

CRYPTO

asr1000rp2-advipservices.* asr1000rpx86-universalk9_npe.* advipservices

ADVANCED IP SERVICES asr1000rp2-advipservicesk9.* asr1000rpx86-universalk9.* advipservices

No

Change

• There is no more non-k9 universal images starting 16.2

BRKARC-2001 58


What to expect – migrate procedure to 16.3.1

BRKARC-2001 59

ASR 1001-X, ASR1002-X

If the system meet the minimum ROMmon requirements – Install the 16.3.1 image / reload

If the system does not meet the minimum ROMmon requirements –upgrade ROMmon / reload / install the 16.3.1 image / reload

RP2

Install 16.3.1 universal image (add previous image as 2nd boot up image / reload


NETCONF RESTconf gRPC

Device Programmability

Device Features

Interface BGP QoS ACL …

SNMP

YANG Data Model

Open Native Open Native

Physical and Virtual Network Infrastructure

Configuration Operational

Programmable

Interfaces

BRKARC-2001 60


Resources on GitHub & DevNet

BRKARC-2001 61

• https://github.com/YangModels/yang/tree/master/vendor/cisco/xe • https://developer.cisco.com/site/odp/


Programmability Demo

1. Provision DMVPN Tunnels

2. Unprovision DMVPN Tunnels

3. Introduce an error in the provisioning to observe the transactional behavior and rollback

BRKARC-2001 63

HUB

Tunnel200: 192.99.99.1

Tunnel200: 192.99.99.3 Tunnel200: 192.99.99.2

Spoke1 Spoke2

LB: 2.2.2.2

LB: 1.1.1.1 LB: 3.3.3.3


CLI Config converted to Yang Data ModelIOS XE Config Yang data model

interface Tunnel200

description ** DMVPN Tunnel over MPLS **

bandwidth 10000000

ip address 192.99.99.1 255.255.255.0

no ip redirects

ip mtu 1400

ip pim nbma-mode

ip pim sparse-mode

ip nhrp authentication NhrpAuth

ip nhrp network-id 101

ip nhrp redirect

ip tcp adjust-mss 1360

tunnel source GigabitEthernet0/0/2

tunnel mode gre multipoint

tunnel key 101

tunnel vrf IWAN-PRIMARY

tunnel protection ipsec profile DMVPN-

PROFILE1

<?xml version="1.0" encoding="utf-8"?>

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="101">

<edit-config>

<target>

<running/>

</target>

<config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">

<native xmlns="http://cisco.com/ns/yang/ned/ios">

<interface>

<Tunnel>

<name>200</name>

<description>** DMVPN Tunnel over MPLS **</description>

<bandwidth>

<kilobits>10000</kilobits>

</bandwidth>

<ip>

<address>

<primary>

<address>192.99.99.3</address>

<mask>255.255.255.0</mask>

</primary>

</address>

<nhrp>

<authentication>NhrpAuth</authentication>

<map>

<dest-ipv4>

<dest-ipv4>192.99.99.1</dest-ipv4>

<nbma-ipv4>

<nbma-ipv4>98.99.130.6</nbma-ipv4>

</nbma-ipv4>

</dest-ipv4>

<multicast>

<ipv4>98.99.130.6</ipv4>

</multicast>

</map>

<network-id>101</network-id>

<nhs>

<ipv4>

<ipv4>192.99.99.1</ipv4>

</ipv4>

<cluster>

<clus-num>

<clus-num>0</clus-num>

<max-connections>1</max-connections>

</clus-num>

</cluster>

</nhs>

</nhrp>

<pim>

<sparse-mode>sparse-mode</sparse-mode>

<dr-priority>0</dr-priority>

</pim>

<redirects>false</redirects>

<tcp>

<adjust-mss>1360</adjust-mss>

</tcp>

<mtu>1400</mtu>

</ip>

<tunnel>

<source>GigabitEthernet0/0/1</source>

<key>101</key>

<mode>

<gre>

<multipoint/>

</gre>

</mode>

<protection>

<ipsec>

<profile>DMVPN-PROFILE1</profile>

</ipsec>

</protection>

<vrf>IWAN-PRIMARY</vrf>

</tunnel>

</Tunnel>

</interface>

</native>

</config>

</edit-config>

</rpc>

BRKARC-2001 61

Packet Flows – Data Plane


SIP/MIP ingress data pathRPs

SPAs/EPAs SPAs/EPAs

SPA Agg.

Interface

Aggregation ASIC

Ingress

Scheduler

Egress

Buffer

Status

Ingress

Classifier

Egress

buffers

IOCP

…

Ingress

buffers

…

Interconnect

Active ESP1. SPA/EPA receives packet data from

its network interfaces and transfers

the packet to the SIP/MIP

2. Intf Aggregation ASIC classifies the

packet into H/L priority

3. SIP/MIP writes packet data to

external ingress buffers

4. Interface Agg ASIC selects among

ingress queues for next pkt to send

to ESP over ESI. It prepares the

packet for internal transmission

5. The interconnect transmits packet

data of selected packet over ESI to

active ESP.

BRKARC-2001 66


ESP data processing path

QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…


PPE1 PPE2 PPE3 PPE4 PPE5

PPE6 PPE7 PPE8 PPE40

BQS

InterconnectData

1. Packet arrives at ESP via interconnect

BRKARC-2001 67



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data


2. Packet assigned to an available PPE a

by dispatcher

BRKARC-2001 68



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data



by dispatcher

BRKARC-2001 69



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data



by dispatcher

3. Input FIA invoked

• Netflow, MQC/NBAR Classify, FW, RPF,

WCCP…

BRKARC-2001 70



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data



by dispatcher



WCCP…

4. Potentially forward through BQS to

crypto

BRKARC-2001 71



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data



by dispatcher



WCCP…


crypto

BRKARC-2001 72



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data



by dispatcher



WCCP…


crypto

BRKARC-2001 73



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data



by dispatcher



WCCP…


crypto

5. Forwarding decision is made

• FIB lookup, MPLS, GRE, Multicast …

BRKARC-2001 74



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data



by dispatcher



WCCP…


crypto



6. Egress FIA invoked

• Netflow, NAT, Police/Mark, Crypto…

BRKARC-2001 75



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data



by dispatcher

3. IInput FIA invoked


WCCP…


crypto





7. Packet forwarded through BQS for

scheduling based on QoS and interface

bandwidth

BRKARC-2001 76



QFP complex

Crypto

FECP

RPsESP SIPs/

MIPs

TCAMResource

DRAM

Packet

Buffer DRAM


…




BQS

Interconnect

Data



by dispatcher



WCCP…


crypto





7. Packet forwarded through BQS for

scheduling based on QoS and interface

bandwidth

8. Packet leaves ESP via interconnectBRKARC-2001 77


RPs

SPAs/EPAs SPAs/EPAs

SPA Agg.

Interface

Aggregation ASIC

Ingress

Scheduler

Egress

Buffer

Status

Ingress

Classifier

Egress

buffers

IOCP

…

Ingress

buffers

…

Interconnect

Active ESP

SIP/MIP egress data path

1. Interconnect receives packet data

over ESI from the active ESPData

BRKARC-2001 78


RPs

SPAs/EPAs SPAs/EPAs

SPA Agg.

Interface

Aggregation ASIC

Ingress

Scheduler

Egress

Buffer

Status

Ingress

Classifier

Egress

buffers

IOCP

…

Ingress

buffers

…

Interconnect

Active ESP



over ESI from the active ESP

2. Intf Aggregation ASIC receives the

packet and writes it to external

egress buffer memory

Data

BRKARC-2001 79


RPs

SPAs/EPAs SPAs/EPAs

SPA Agg.

Interface

Aggregation ASIC

Ingress

Scheduler

Egress

Buffer

Status

Ingress

Classifier

Egress

buffers

IOCP

…

Ingress

buffers

…

Interconnect

Active ESP







3. Intf Aggregation ASIC selects and

transfers packet data from eligible

queues to SPA/EPA-SPI channel (Hi

queue are selected before Low)

Data

BRKARC-2001 80


RPs

SPAs/EPAs SPAs/EPAs

SPA Agg.

Interface

Aggregation ASIC

Ingress

Scheduler

Egress

Buffer

Status

Ingress

Classifier

Egress

buffers

IOCP

…

Ingress

buffers

…

Interconnect

Active ESP







3. Intf Aggregation ASIC selects and

transfers packet data from eligible

queues to SPA/EPA-SPI channel (Hi

queue are selected before Low)

4. SPA/EPA transmits packet data on

network interface

Data BRKARC-2001 81

Integrated Security on ASR 1000


Next Generation Encryption

Su

ite B

Key Establishment ECDH

Digital Signatures ECDSA

Hashing SHA-2

Authenticated

EncryptionAES-GCM

Authentication HMAC-SHA-2

Entropy SP800-90

ProtocolsTLSv1.2, IKEv2, IPsec,

MACSec

BRKARC-2001 83


ASR 1000 Cryptography SupportImproved Octeon Crypto Processor on X-series Chassis

ASR 1001-X ASR 1002-X ASR 1001-HX ASR 1002-HX ESP100 ESP200

Number of Crypto

Processor

1 1 1 1 1 2

Cores per processor 10 6 22 32 22 32

Clock Rate 800MHz 800MHz 1100MHz 1200MHz 1100MHz 1100MHz

DRAM 1GB 1GB 2GB 4x1GB 2GB 2x4GB

Crypto Throughput

(SVTI @ IMIX)

6Gbps 4Gbps 15Gbps 24Gbps 15Gbps 45Gbps

Suite B

crypto

BRKARC-2001 84


Protects against TCP SYN Flood to the FW Session

Database

SYN Cookie Protection

Per Zone

Per VRF

Per BoX

Conformance checking, state tracking, security checks with

granular policy control

Over 20 Inspection Engines:

UC: SIP, Skinny, H.323, RSTP…

Enterprise Apps: Voice/Soft phones

Core Protocols: FTP, FTP66, SNMP, DNS, POP3, …

Database & O/S: LDAP, NetBIOS, Microsoft RPC, …

Protects Firewall Session Table from attacks that could be

based on UDP, TCP and ICMP

Half Open Session Limits are configurable:

Per Box and VRF Level

Per Class supported initially

FW resources are managed effectively with half open session

limit configuration knobs

Logs are generated when limits are crossed

ASR 1000 Integrated Zone-Based Firewall ProtectionDoS, DDoS and Application Layer Detection and Prevention

Enables detection of possible threats, anomalies and

attacks per Zone

Monitors rate of pre-defined events in the system;

alerts sent to Sys/HSL logs

Report drops due to: Basic FW check failures, L4

inspection failures, and count of the # of dropped

SYNs

Application Layer Protocol Inspection

Basic Threat DetectionTCP SYN Attack Prevention

Half Open Session Limit

Strictly Cisco Confidential BRKARC-2001 85

http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images?q=biohazard&hl=en&lr=&safe=off

http://images.google.com/imgres?imgurl=http://www.ehs.washington.edu/images/BIOSGN2.jpg&imgrefurl=http://www.ehs.washington.edu/Manuals/BSManual/AppendixA.pdf&h=1028&w=850&sz=124&tbnid=HeNi2BPYUAgJ:&tbnh=149&tbnw=124&start=14&prev=/images?q=biohazard&hl=en&lr=&safe=off


ASR 1000 Security Certifications

FIPS

140, Level 2

Common Criteria

EAL4NSA Suite B

Hardware Assist

Cisco ASR 1000 Series

BRKARC-2001 86


ASR 1000 IPSec Performance & Scale

ASR

1001-X

ASR

1002-X

ASR

1001-HX

ASR

1002-HX

RP2|RP3

ESP20

RP2|RP3

ESP40

RP2|RP3

ESP100

RP2|RP3

ESP200

Encryption

Throughput w/ sVTI

(IMIX)

6Gbps 4Gbps 15Gbps 24Gbps 4Gbps 7Gbps 15Gbps 45Gbps

VRFs 8k 8k 8k 8k 8k 8k 8k 8k

Total Tunnels

(Site to Site IPSec)

8k 8k 8k 8k 8k 8k 8k 8k

Tunnel Setup Rate

(per second)

130 130 130 130 130 130 130 130

DMVPN / BGP

Adjacencies

4k 4k 4k 4k 6k 6k 6k 6k (RP2)

10k (RP3)

DMVPN / EIGRP

Adjacencies

4k 4k 4k 4k 4k 4k 4k 4k

FlexVPN

(IKEv2/DVTI)

10k 10k 10k 10k 10k 10k 10k 10k

BRKARC-2001 87

ASR 1000 Applications & Solutions

ASR 1000 APPLICATIONS:Carrier Ethernet & MPLS VPN


MPLS L3VPN Applications

• VRF-Lite/Multi-VRF CE

• Sub-interface per VRF for CE/PE

• Up to 8,000 VRFs

• MPLS VPN (RFC 2547)

• IPv4 & IPv6

• MPLS QoS

• MPLS over (m)GRE overlay for large enterprise VPN

• MPLS TE FRR

• FRR Link, Path & Node protection

• RSVP & BFD triggered FRR

• Multicast VPN

• Encapsulation: IP/GRE, LSM

• Core Tree Signalling: PIM, mLDP

• C-Multicast Signaling: PIM, BGP

• Service: IPv4, IPv6

Multicast VPN

PMSI Instance

PMSI Instance

Multicast

Receiver

Multicast

Source

Provider Network

PE

PE

PE

PE

SP IP Service

WestEast

North

WAN-PE

WAN-PE

WAN-PEGRE

MPLS VPN o GRE

BRKARC-2001 96


ASR 1000 Carrier Ethernet Capabilities

• Support for Ethernet Virtual Circuit (EVC) infrastructure

• VLAN tags (single, double, ambiguous, untagged)

• 802.1ad S-VLANs

• Custom EtherType (e.g. IPv4/v6, PPPoE Discovery, PPPoE session)

• CoS Support

• Flexible EVC Forwarding Service

• Bridge Domain, Xconnect, Bridge Domain Interface, Pseudowire

• Ethernet OAM

• Link OAM, CFM, 802.1ag + Y.1731 extension, 802.3ah, Loopback, ELMI

• Support for E-Line, E-Lan, E-Tree

• Port/VLAN modes with interworking and local switching

• Strong UNI features

• HQoS, Security ACL, MAC Security

• Flexible Tag Matching and Manipulation

EF

Ps

Ports

MP

LS

BD BD

L2 Interworking

(not yet supported)

ATM/FREFPs

BD BDI

BD L2 VFI

L3/VRF

Routed

Pseudowire

Pseudowire

L2 MP Bridging

connect

(hair-pin)

connect

xconnect

Pseudowire

Ports

Ports

EF

Ps

EF

Ps

Ethernet Flow point (EFP) service

instance is a logical interface that

connects a bridge domain to a physical

port.

BRKARC-2001 97


VPLS Services

• VPLS Full-mesh, Hub/Spoke & H-VPLS Provider Edge

• 1M MAC Addresses

• Broadcast, Unknown Unicast and Multicast (BUM) control

• VPLS over GRE/IPSec

• VPLS Auto-discovery

• LDP Signal (RFC 6074)

• BGP Signal (RFC 4761)

• Inter-AS support

• Option A (BGP Signal)

• Option B, C (LDP Signal)

• U-PE dual-homing

• Multiple spanning tree with control pseudowire

• Routed Pseudowire

• VPLS circuit terminated on Bridge Domain Interface

N-PE

N-PE

N-PECE CE

U-PE/H-VPLS PE

Full mesh of

Targeted LDP

exchange VC lables

Attachment VCs

are port mode or

VLAN ID

CE: Customer Edge Device

N-PE: Network Facing Provider Edge

U-PE: User Facing Provider Edge

VSI/VFI: Virtual Switching/Forwarding Instance

Tunnel LSP

BRKARC-2001 99


Segment RoutingSimplifying the Transport

• Source Routing: the source chooses a path and encodes it in the packet header as an ordered list of segment

• Segment: an identifier for any type of instructions: forwarding or service

• IGP only: no LDP, no RSVT-TE

• ECMP

• Interworking with LDP: ease of migration

• Topology independent 50msec FRR

• Support all existing VPN services

• Engineered for SDN

SR WAN

SR

IGP

VPN

VPN

pktvpn

16006

pkt

vpn

BRKARC-2001 100

Node segment to Z (16006)

TH

B C

N O

Adj

segm

en

t

to N


1. Information Distribution: IGP (OSPF or IS-IS) SR extensions used to flood bandwidth information between routers & SR SIDs, SRGB

2. CSPF does Path Calculation on headend only – uses IGP advertisements to compute SRTE “constrained” paths

3. Forwarding traffic: Static route, auto route announce,.etc.

Segment Routing Traffic Engineering

Single IGP Domain

pktvpn

1600616001 24005

16006

2400516001

Headend

IGP Topology +

TE link attributes

+ SR SID + SRGB

= TED

TED

IGP Domain 1

PCC

IGP Domain 2

TED

LSP DB

RR RR

BGP Link State

Export TED

1. BGP-LS specify sets of TLV’s that define three objects: Nodes, Links and IP Prefixes in new NLRI type, the BGP-LS attribute encodes the properties of the objects, such as Node-names, IGP metric, TE-metric…

2. Path Compute Element (PCE) compute the network path or route based on a network graph and applying computational constraints

3. Path Compute Client (PCC) initiates LSP and delegates path computation to PCE

PCE

Headend

BRKARC-2001 101

Tail Tail

ASR 1000 APPLICATIONS:Internet Edge


Enterprise Internet Edge Profile

TenG

ig3

TenG

ig4

ASR1013-2

switch2

TenG

ig4

Port-channelRG

ACT

RG

STD

Y

ISP1

LAN

VSS

Inet II

ISP3

IPv6ISP2

• Routing: up to 5 full ISP peerings

• HQoS, ACL, FNF, CoPP

• Services:

• NAT: NAT44/NAT64, VRF Aware, VASI

• ZBFW

• ALG

• AVC

• Stateful Inter-chassis redundancy

• Topology: LAN-WAN, LAN-LAN

• Platforms: ASR1001-X/ASR1002-X, RP2/ESP40

BRKARC-2001 103

ASR 1000 APPLICATIONS:Secure VPN


VPN Solutions Overview

DMVPN

Multipoint GRE Tunnels

NHRP

GETVPN

Crypto Map

GDOI

FlexVPN

Dynamic VTI

IKEv2

Easy VPN

Dynamic VTI

Crypto Map

IKEv1

SSLVPN

TLS

IKEv1/

IKEv2

IKEv1/

IKEv2

IPsec–based VPNs

BRKARC-2001 105


VPN Selection Criteria for Key Solutions

• The roadmap on VPN Services aligned with Cisco recommendation

Key Solutions DMVPN GETVPN FlexVPN

(dVTI, IKEv2)

SSLVPN

(TLS)

Easy VPN (IPsec

tunnels, IKEv1)

IPsec VPN (CM,

VTI, p-pGRE)

Remote Access

(SW Clients)

N/A N/A SR SR NR NR

IoT SR N/A SR N/A NR NR

IWAN 2.x SR N/A N/A N/A N/A N/A

DC WAN Edge N/A SR N/A N/A N/A NR

MPLS VPN over

MGRE

N/A SR N/A N/A N/A NR

SR = Supported and Recommended

NR = Supported but Not recommended

BRKARC-2001 106


WAN MACSec Applications

• MKA based keying (IEEE 802.1X-2010)

• 802.1AE strong encryption

• 128/256 bits AES-GCM, NIST approved, line rate performance

• Vlan tag in clear option

• Point-to-point

• Port based E-LINE Service

• VLAN based E-LINE Service

• Point-to-Multipoint

• Port based E-LAN Service

• VLAN based E-LAN Service

• 32 peers on 10GE; 8 peers on GE

• Transporting SGT tag with WAN MACSec

DC1

DC2

MetroE-LINE

Building 3

Metro

E-LAN

Main Building 1

Building 2 Building 4

BRKARC-2001 107

Data Center Interconnect Connect large branch, regional aggregate site to DC

ASR 1000 APPLICATIONS:Datacenter Interconnect (DCI)


DCI with OTV

Security

• IPsec/GETVPN/MACSec

Use Cases

Datacenter maintenance/DR

workload mobility (i.e. Vmotion)

Active/Active Datacenters (HA

Clustering, i.e. MSCS, Vmware

Cluster)

Legacy Application (non-

IP/Routable apps, i.e. NetBios)

High Availability

• Built-in loop prevention

• Built-in multi-homing

• Preserve failure boundary

• All paths active

• FHRP

Connectivity

• IP Core (unicast & mcast)

• Optimal multicast replication

• +LISP for optimal routing

• 8 routers in most deployments

• Interop with N7k

• Support Fragmentation

MAC IF

MAC1 Eth1

MAC2 IP B

MAC3 IP B

Edge Device A

IP B

Edge Device B

Encap Decap

Ethernet Frame IP packet Ethernet Frame Ethernet Frame

MAC IF

MAC1 IP A

MAC2 Eth 1

MAC3 Eth 2ASR1K

ASR1K

IP Core

OTV Join Intf OTV Join Intf

ASR1K

Edge Device B

Edge Device C

BRKARC-2001 109


VXLAN Enables Scale and Flexibility in the Datacenter

IP/MPLS coreuni or multicast

VxLAN (MAC in IP)

VXLAN L2 Gateway• VXLAN to 802.1q

VXLAN L3 Gateway• VXLAN to Routed

• VXLAN to L3 VRF mapping

Internet

Hypervisor

Scale

• 4,000 VXLAN Tunnel

Endpoints (VTEPs)

• Up to 16k VXLAN Network

Identifiers (VNIs)

• Up to 16k Bridge Domain

Interfaces (BDIs)

• Up to 1M MAC addresses

Use Cases

• VXLAN-VXLAN Interworking

• VLAN-VXLAN Interoperability

• VXLAN-VPLS Interoperability

• VXLAN-VRF Integration

Standard

• MAC-in-IP: RFC 7348

• Unicast (Ingress replication)

or Multicast (BiDir) for

peering and MAC

reachability

Connectivity

• Provides L2 connectivity between virtual switches in hypervisors, hardware switches and hardware routers

• VXLAN extends subnets to virtualized resources

BRKARC-2001 110


EVPN L3 DCI – WAN Solution’GOLF’ Design

Spines

Leafs

WANBRANCH

DC Edge

PE

PE

PE

PE

Connecting to DC Edge from Spines (directly connected or IPN)

Single MP-BGP session to carry routes for multiple tenants (VRFs)

VXLAN handoff to DC Edge

DC can be

1. Standalone N9k fabric – ASR1k as a border leaf

2. ACI Mode – ASR1k as a border leaf using OpFlex

DC Edge WAN facing side can be

1. Back to back VRF-Lite with L3 sub-interfaces/tunnels

2. MPLS VPN PE or ASBR (IAS option B)

WAN – MPLS VPN(GETVPN), DMVPN, IWAN2.x

MP-BGP

= VXLAN Encap

VRF Green VRF Orange VRF Purple

BRKARC-2001 95


ACI WAN Integration using OpFlex

WAN

OpFlex

Peering

VRF Green VRF Orange VRF Purple

OpFlex-PE

OpFlex-PR Establishing IP reachability for underlay

Instantiating on the WAN router an OpFlex framework to the ACI

fabric

One Time Manual Pre-Configuration, required for:

WAN side configuration on the WAN router is manual or

orchestrator driven

Fabric facing configuration created on APIC and dynamically

pushed via OpFlex

Recurring Tenants

Configurations

OpFlex is a communication protocol used

between fabric and DC Edge to enable fabric

facing tenant automation.

BRKARC-2001 96


ACI Trustsec Integration

Spines

Leafs

DC Edge | WAN Trustsec Border Router

MP-BGP

ISE pull EPG (ClassID, VNI)

for translation

Radius download the

translation table to ASR1k

Policy Plane

Exchange SGT/EPG

ACI Policy Domain Trustsec Policy Domain

Control Plane

BGP EVPN | OpFlex

Data Plane: VXLAN-GBP

SGT <-> EPG translation

SGT propagate over L3 Networks

BRKARC-2001 97

ASR 1000 APPLICATIONS:Intelligent WAN (IWAN)


Intelligent WAN (IWAN) Architecture

10.3.3.0/24 10.4.4.0/24 10.5.5.0/24

DMVPNMPLS

DMVPNINET

BR31 BR41

10.1.0.0/16 10.2.0.0/16

BR51 BR52

IWAN POP1 IWAN POP2

DC1

DCIWAN Core

DC2

10.2.0.0/1610.0.0.0/8

10.1.0.0/1610.0.0.0/8

BRKCRS-2001 118

IWAN2.2

BR11 BR12 BR21 BR22

TransportIndependence

Simplified Hybrid WAN

Intelligent Path Control

Application Aware Routing

Application Optimization

Enhanced Application

Visibility and Performance

Secure Connectivity

Comprehensive

Threat Defense

Man

ag

em

en

t Au

tom

atio

n

Summary and Take away


• ASR 1000 is the Swiss Army Knife to solve your tough network problems

• Reduce complexity in your network edge.

• ASR 1000 is well positioned for both Enterprise and Service Provider Architectures.

• ASR 1000 is at the heart of Cisco IWAN solutions

• Come see live at our WoS Booth!

Summary and Key Takeaways

BRKARC-2001 120


Relevant Sessions at Cisco Live 2017

Breakout Sessions

• BRKCRS-3147 Advanced troubleshooting of the ASR1K and ISR 4451-X made easy

BRKARC-2001 121


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

122BRKARC-2001

CiscoLive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

123BRKARC-2001

Thank You

ASR 1000 System & Solution - clnv.s3.amazonaws.com · ESP t FECP QFP Crypto Assist. interconn. PPE...

Documents

Transcript of ASR 1000 System & Solution - clnv.s3.amazonaws.com · ESP t FECP QFP Crypto Assist. interconn. PPE...